Best practices for servers


I’m using Tailscale with Office365, so when we generate an authentication key for the servers, then they are shown as authenticated in the taskbar as one of the network admins.

This makes me nervous, because the servers could be potentially shared access with several employees who are not network admins. And I am assuming that the key is somehow privileged against the Tailscale API or something like that.

Is there some best practice about how to setup a server network in Tailscale? Particularly, should I be creating a new AD user to authenticate against for every machine, or for every ACL boundary, or?

Ideally there would be some way for a machine to just authenticate into the network as itself. That is, even if I have the following line in the ACL:

    // All employees can access their own devices
    { "action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:self:*"] },

Then ideally nobody owns it by default. And that machine doesn’t have any privileges to connect to anyone outbound i.e. it would be quarantined and can’t be used like a bastion.

The best practice for authkeys for servers is to use tags: ACL tags are generally available · Tailscale

A tagged device is not owned by the user who created it, it is owned by the tag.

Thanks @DGentry .

I have added this server to the tag client-vm yesterday and setup an ACL, but I don’t think I am seeing what I had expected to happen. For example,

  1. If I go into Users → View Devices for our network admin, I can see the servers there. I presume then, the ACL in the first post would give this user access to this machine, even if their role in the company was revoked or changed.

  2. On the actual device in the Taskbar, it shows their user name. And you can go into the Taskbar and into My Devices, where it shows their workstation. Does My Devices show devices that you have access to, or devices that you own?

In Users → View Devices you’d still see the device but it will show the tag:client-vm immediately below the hostname.

In the device list, it should appear in a “Tagged devices” section not under the user who created it.

Hm, well that users’ workstations are not tagged devices, because their actual workstations can’t be tagged - otherwise they lose all the special privs assigned to that user and their groups.

But yes, I can access their workstations from the server, under My Devices. Presumably because of this:

    // All employees can access their own devices
    { "action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:self:*"] },

Do you think what I need to do is create a user specifically for infrastructure that I can use to generate the access keys? Otherwise any access keys, even from tagged devices, seem to find their way into autogroup:self for the user that generated the key.

This is a permission paradox, because you’re right, the documentation says that devices that are tagged are supposed to be treated like they don’t belong to that user anymore, but there seems to be a few edge cases where this doesn’t hold up.

Actually, I’m inclined to say that this should be considered like a bug.